Pinterest Stumbleupon Whatsapp
Ads by Google

When Edward Snowden leaked a veritable treasure-trove of documents to Guardian journalists Glenn Greenwald and Laura Poitras, nobody could have predicted the impact his revelations would have had upon the world. In particular, the Snowden revelations What Is PRISM? Everything You Need to Know What Is PRISM? Everything You Need to Know The National Security Agency in the US has access to whatever data you're storing with US service providers like Google Microsoft, Yahoo, and Facebook. They're also likely monitoring most of the traffic flowing across the... Read More  had a profound and significant effect on the crypto world for two important reasons.

Firstly, for the first time ever, there was a general awareness of the depths of government surveillance of the Internet, especially by the British and American security services. The aftermath of this was that consumers in ever greater numbers started looking towards encryption to protect their privacy.

The second was the catastrophic loss of public faith in proprietary, corporate encryption packages. This was largely a product of the discovery that RSA had been paid $10,000,000 by the American National Security Agency to compromise their flagship encryption software.

These two factors have resulted in a phenomenal surge of interest in open source encryption, both by consumers and power-users.

The problem is that encrypting messages How To Easily Encrypt Email or Text Documents [Windows] How To Easily Encrypt Email or Text Documents [Windows] Read More has never been especially straightforward. The science behind secure encryption 4 Surprising Ways To Encrypt Your Data 4 Surprising Ways To Encrypt Your Data Encryption is often considered the playground of geeks alone, but it doesn’t have to be. Encryption just means that information is scrambled and you can only access the real information with a special password or... Read More is ridiculously complicated, and most encryption packages aren’t especially user-friendly. As a result, they’ve not really penetrated the consumer sphere in any meaningful way.

Until now. Meet Keybase.io.

Ads by Google

So, What’s This Keybase Thing Then?

Founded by Max Krohn and Chris Coyne, who previously founded OK Cupid, Sparknotes and TheSpark, it’s presently only available in a private alpha. It markets itself as “a public directory of publicly auditable public keys. All paired, for convenience, with unique usernames”.

Built upon the venerable and battle-hardened GNU Privacy Guard, Keybase allows users to easily encrypt, decrypt and share messages within a tried-and-tested encryption standard. Furthermore, all public keys are tied to user accounts on the Keybase websites, in addition to Twitter and Github accounts.

Messages can be encrypted through a relatively intuitive Node.js based command-line application, or through the Keybase website. How does it work? Well, a bit like this.

First, you need to track the user you’re messaging. Here, I’m tracking MakeUseOf’s Android editor, Erez Zukerman. Hi Erez!

keybase-track

Then open up a terminal window, and type the following.

keybase-encrypt

keybase encrypt ezuk -s -m ‘Hey Erez! Keybase is pretty cool, eh?’

So, what does the ‘-s’ and ‘-m’ flags do? Simply put, ‘-s’ means that you’re ‘signing’ your message, adding an extra layer of authentication to show that you were the original sender. ‘-m’ means that everything that follows will be the message I send to Erez.

keybase-email

I then copy the output into an email, which I then shoot off to Erez, where he’ll then decrypt it using the following command.

keybase decrypt -m “message”

But You Mentioned A Website?

I’ve banged on heavily about the Keybase command-line application, which I think is an impressive, polished product. But I also mentioned that it’s also possible to use the Keybase website to encrypt and decrypt messages.

keybase-website

This first requires that you upload your private key to their servers. This is the key which is unique to you, and allows you to encrypt and decrypt messages. As the name implies, this is something which you need to keep absolutely, 100% secret.

If your private key is leaked, it then becomes possible to decode any messages you have previously encrypted. Keybase has made assurances to users that any private keys stored on their servers are kept in a secure fashion. Despite that, I’m not happy that Keybase are asking their users to surrender their private keys in the first place. Erez Zukerman has some thoughts on the matter:

Whilst I don’t doubt the competence of the team behind Keybase, I wonder what would happen if they were subpoenaed for the private keys which have been submitted by their users. I’m concerned about what would happen if they experienced a major security breech. As a result, there’s no way I can recommend that you use the Keybase web application in good conscience.

Conclusion

I predict that Keybase will find themselves facing a mountain of challenges in months to come. These will range from protecting users against government intrusion, to further simplifying their platform to a point where encryption becomes accessible without demanding that users provide their private keys.

Despite that, in its present inception Keybase is a solid product, and one I recommend wholeheartedly. I’m pretty enamored with the command-line application, which is easy to install, easy to use and doesn’t require the user to provide their all-important private keys.

But what do you think? Drop me a comment below and let me know what you think.

  1. johnw
    September 20, 2016 at 3:30 am

    I then copy the output into an email, which I then shoot off to Erez, where he’ll then decrypt it using the following command.

    Why dont use mail client support pgp like thunderbird?

  2. Valter
    June 4, 2016 at 2:18 am

    Maybe I missed it but I don't see steps to install the app. Nor if it will run on all OS. Running a non-GUI based app does not sound intuitive for the majority of the end users I know. Plus, copying and pasting output of that command into email? I hardly think the majority of the users I know will give it a try.
    By average, sending a message takes what? 2 seconds? With no attachments and no big text in the Subject and Body of the message. What if the MTA used by your company inserts a signature or disclaimer in to your message? Boom good bye this process? How much time will the user "invest" in running the app for every single important piece of message he/she sents and receive everyday?
    For me, it doesn't scale. Although it is a good idea, for me, it is not practical. Maybe in the next version. Thanks.

  3. android underground
    March 28, 2014 at 12:26 pm

    The private key upload thing is not a big problem, because 99.9% of potential users will never get that far. They'll stop reading when they hit "relatively intuitive Node.js based command-line application."

  4. Kenton
    March 24, 2014 at 8:36 pm

    Doesn't this defeat the whole purpose behind public key crypto? Unfortunately if it becomes popular it will just be one more way users are encouraged to completely bypass strong security practices.

    • Matthew H
      March 31, 2014 at 3:14 pm

      Pretty much, yeah. The whole idea behind private keys is that they're supposed to be... Well... Private.

  5. dragonmouth
    March 24, 2014 at 1:28 pm

    It sounds oh so great in theory. But, of course, it all depends on Keybase servers being 100% secure. If they get compromised, whether because the security is not up to snuff or because, as is the case with RSA, for fee, someone built a backdoor into the server, the entire encrypt-decrypt process is an exercise in futility.

    • Matthew H
      March 31, 2014 at 3:14 pm

      And, of course, nothing is 100% secure. Thanks for your comment!

Leave a Reply

Your email address will not be published. Required fields are marked *